IT Disasters: Lessons From the Insurance Industry

Municipal governments in disaster-struck areas are having trouble getting insurance policies that will help their region recover from natural disasters. Insurers aren't keen to take on high-risk clients -- like New York City since Hurricane Sandy -- all on their own. However, they might be willing to accept that risk if they share it with private investors. This is the idea behind catastrophe bonds (or "cat bonds").

The theory of the cat bond is relatively simple: insurers transfer their risk to capital market investors who are betting against catastrophe; that a hurricane or an earthquake won’t hit a particular place in a specified period of time. If this proves true, investors are repaid principal plus relatively high interest. If disaster strikes, however, the cat bond investors are on the hook and lose their principal.

My question is this: Could the same basic premise be applied to IT catastrophes?

Organizations already have the option of buying "cyber insurance," specifically liability insurance to protect organizations when they have a data privacy and/or security breach.

Organizations also have the option of buying insurance to protect their datacenters and other facilities from fires, floods, and earthquakes.

However, PII breaches and natural disasters aren't the only sorts of cyber catastrophe your organization might experience. What about a breach of intellectual property, or a lengthy denial of service that costs you and/or your customers a million dollars in lost business? What insurance policy covers that?

If insurers were going to start selling cat bonds to allay the costs of paying for IT catastrophes, they would likely want to set their prices based upon your organization's existing security posture and disaster recovery plan. If you could convince them that you're doing a bang-up job on your security and disaster recovery plans already, it might be easier to convince investors to bet against you having an IT catastrophe.

So, in addition to getting you some financial back-up, it might be a driver for your company to invest more in security and DR to begin with.

Would anyone bet against your organization having a cyber catastrophe? If so, would you be interested in it -- especially if it made insurance easier to obtain and made your premiums cheaper? Let us know what you think in the comments below.

@ Zaius, you made a very good point. This is another big hurdle in the way of such bonds. Convince the insurer, insurer will convince the investor in turn and then investor will consult his IT experts. Keep adding the layers in the process and you will keep going farther from the possibility of such a thing. At the end of the day, it might be too difficult for the insurers and investors to understand the dynamics of IT.

@kstaron Hmmmm. Interesting thought: "But wouldn't "cat bonds" in an IT company pretty much be the same as a stock purchase of the company anyway? If I invested in the company I am riding or falling on how the company including it's IT department fares." I suppose that's true to a degree, but I wonder if any investors actually think of it that way.

I just keep shaking my head over this one. I honestly think it would more feasible to do "cat bonds" for the IT industry than it would be of natural disasters. Given climate change and the lack luster action of nearly any country to do anything about it, I can only see that disasters are going to get more frequent not less as areas that were dry get wet, areas that were cold get warm and in general all the weather we are used to is a thing of the past. But wouldn't "cat bonds" in an IT company pretty much be the same as a stock purchase of the company anyway? If I invested in the company I am riding or falling on how the company including it's IT department fares.

Considering the current security scenario of big organizations and news about big security breaches at organizations which are supposed to be the most protected because they have all the resources at their disposal, it would be difficult to persuade the insurers and private investors to come up with insurance cover for security breaches.

I would guess not many are buying the insurance but those who do have a lot to lose in intellectual property so it makes perfect sense for them to protect themselves. I've heard enough stories about really well thought out and expensive backup solutions failing or being more or less useless because it was never tested and when disaster struck the company found out the hard way just how much they could lose.

@ Broadway - No insurance makes sense in this case there was a company called "Fantex" who was offering what amounted to an IPO on athletes. Kind of crazy in mind and apparently not a big pool of investors either.

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: [email protected]

Dell's Efficiency Modeling ToolThe major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise. Read the full report

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.